From 09a00a07a0db13618bad412c058c9d4786f2264b Mon Sep 17 00:00:00 2001
From: Patrick Walther <patrick.walther@netmodule.com>
Date: Fri, 24 Jul 2020 14:41:09 +0200

---
 src/common/wpa_common.c | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index 587cd88b2..2b2b09fb9 100644
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -2451,6 +2451,31 @@ u32 wpa_akm_to_suite(int akm)
 }
 
 
+static void wpa_fixup_wpa_ie_rsn(u8 *assoc_ie, const u8 *wpa_msg_ie,
+				 size_t rsn_ie_len)
+{
+	int pos, count;
+
+	pos = sizeof(struct rsn_ie_hdr) + RSN_SELECTOR_LEN;
+	if (rsn_ie_len < pos + 2)
+		return;
+
+	count = WPA_GET_LE16(wpa_msg_ie + pos);
+	pos += 2 + count * RSN_SELECTOR_LEN;
+	if (rsn_ie_len < pos + 2)
+		return;
+
+	count = WPA_GET_LE16(wpa_msg_ie + pos);
+	pos += 2 + count * RSN_SELECTOR_LEN;
+	if (rsn_ie_len < pos + 2)
+		return;
+
+	if (!assoc_ie[pos] && !assoc_ie[pos + 1] &&
+	    (wpa_msg_ie[pos] || wpa_msg_ie[pos + 1]))
+		memcpy(&assoc_ie[pos], &wpa_msg_ie[pos], 2);
+}
+
+
 int wpa_compare_rsn_ie(int ft_initial_assoc,
 		       const u8 *ie1, size_t ie1len,
 		       const u8 *ie2, size_t ie2len)
@@ -2458,8 +2483,19 @@ int wpa_compare_rsn_ie(int ft_initial_assoc,
 	if (ie1 == NULL || ie2 == NULL)
 		return -1;
 
-	if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
-		return 0; /* identical IEs */
+	if (ie1len == ie2len) {
+		u8 *ie_tmp;
+
+		if (os_memcmp(ie1, ie2, ie1len) == 0)
+			return 0; /* identical IEs */
+
+		ie_tmp = alloca(ie1len);
+		memcpy(ie_tmp, ie1, ie1len);
+		wpa_fixup_wpa_ie_rsn(ie_tmp, ie2, ie1len);
+
+		if (os_memcmp(ie_tmp, ie2, ie1len) == 0)
+			return 0; /* only mismatch in RSN capabilties */
+	}
 
 #ifdef CONFIG_IEEE80211R
 	if (ft_initial_assoc) {